Mass-mailing worms are some of the most prevalent and troublesome threats to Internet users today. Worms like Netsky, Beagle, MyDoom, and most recently, Sober, have caused millions of dollars in damage and cleanup costs. Despite the use of computer security software, thousands of users are typically infected in the first few hours of a new worm's outbreak, before security analysts have an opportunity to capture and analyze a sample, and subsequently to create and deploy a signature. To make matters worse, the increasing availability and quality of runtime packers and other obfuscation tools are making it easier for worm writers to automate the creation of new variants of a worm, making analysis more complicated and time consuming.
In order to effectively protect users and reduce the cleanup burden of these major threats, it would be highly desirable to be able to stop any type of mass-mailing worm during the first few hours of its outbreak. What is needed are methods, systems and computer readable media for effectively detecting fast spreading worms, including metamorphic worms, in real time during their initial spread.